@aws-cdk-testing/cli-integ 2.159.1 → 2.161.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/README.md +1 -1
  2. package/lib/with-cdk-app.d.ts +11 -0
  3. package/lib/with-cdk-app.js +20 -5
  4. package/package.json +3 -3
  5. package/resources/bootstrap-templates/session-tags.all-roles-deny-all.yaml +703 -0
  6. package/resources/bootstrap-templates/session-tags.deploy-role-deny-sqs.yaml +700 -0
  7. package/resources/cdk-apps/app/app.js +103 -0
  8. package/resources/cdk-apps/rollback-test-app/app.js +100 -0
  9. package/resources/cdk-apps/rollback-test-app/cdk.json +7 -0
  10. package/resources/cli-regression-patches/v2.160.0/skip-tests.txt +2 -0
  11. package/skip-tests.txt +1 -1
  12. package/tests/cli-integ-tests/bootstrapping.integtest.js +32 -1
  13. package/tests/cli-integ-tests/cli-lib.integtest.js +2 -2
  14. package/tests/cli-integ-tests/cli.integtest.js +139 -8
package/resources/bootstrap-templates/session-tags.deploy-role-deny-sqs.yaml ADDED
@@ -0,0 +1,700 @@
1
+ Description: This stack includes resources needed to deploy AWS CDK apps into this
2
+ environment
3
+ Parameters:
4
+ TrustedAccounts:
5
+ Description: List of AWS accounts that are trusted to publish assets and deploy
6
+ stacks to this environment
7
+ Default: ''
8
+ Type: CommaDelimitedList
9
+ TrustedAccountsForLookup:
10
+ Description: List of AWS accounts that are trusted to look up values in this
11
+ environment
12
+ Default: ''
13
+ Type: CommaDelimitedList
14
+ CloudFormationExecutionPolicies:
15
+ Description: List of the ManagedPolicy ARN(s) to attach to the CloudFormation
16
+ deployment role
17
+ Default: ''
18
+ Type: CommaDelimitedList
19
+ FileAssetsBucketName:
20
+ Description: The name of the S3 bucket used for file assets
21
+ Default: ''
22
+ Type: String
23
+ FileAssetsBucketKmsKeyId:
24
+ Description: Empty to create a new key (default), 'AWS_MANAGED_KEY' to use a managed
25
+ S3 key, or the ID/ARN of an existing key.
26
+ Default: ''
27
+ Type: String
28
+ ContainerAssetsRepositoryName:
29
+ Description: A user-provided custom name to use for the container assets ECR repository
30
+ Default: ''
31
+ Type: String
32
+ Qualifier:
33
+ Description: An identifier to distinguish multiple bootstrap stacks in the same environment
34
+ Default: hnb659fds
35
+ Type: String
36
+ # "cdk-(qualifier)-image-publishing-role-(account)-(region)" needs to be <= 64 chars
37
+ # account = 12, region <= 14, 10 chars for qualifier and 28 for rest of role name
38
+ AllowedPattern: "[A-Za-z0-9_-]{1,10}"
39
+ ConstraintDescription: Qualifier must be an alphanumeric identifier of at most 10 characters
40
+ PublicAccessBlockConfiguration:
41
+ Description: Whether or not to enable S3 Staging Bucket Public Access Block Configuration
42
+ Default: 'true'
43
+ Type: 'String'
44
+ AllowedValues: ['true', 'false']
45
+ InputPermissionsBoundary:
46
+ Description: Whether or not to use either the CDK supplied or custom permissions boundary
47
+ Default: ''
48
+ Type: 'String'
49
+ UseExamplePermissionsBoundary:
50
+ Default: 'false'
51
+ AllowedValues: [ 'true', 'false' ]
52
+ Type: String
53
+ BootstrapVariant:
54
+ Type: String
55
+ Default: 'AWS CDK: Default Resources'
56
+ Description: Describe the provenance of the resources in this bootstrap
57
+ stack. Change this when you customize the template. To prevent accidents,
58
+ the CDK CLI will not overwrite bootstrap stacks with a different variant.
59
+ Conditions:
60
+ HasTrustedAccounts:
61
+ Fn::Not:
62
+ - Fn::Equals:
63
+ - ''
64
+ - Fn::Join:
65
+ - ''
66
+ - Ref: TrustedAccounts
67
+ HasTrustedAccountsForLookup:
68
+ Fn::Not:
69
+ - Fn::Equals:
70
+ - ''
71
+ - Fn::Join:
72
+ - ''
73
+ - Ref: TrustedAccountsForLookup
74
+ HasCloudFormationExecutionPolicies:
75
+ Fn::Not:
76
+ - Fn::Equals:
77
+ - ''
78
+ - Fn::Join:
79
+ - ''
80
+ - Ref: CloudFormationExecutionPolicies
81
+ HasCustomFileAssetsBucketName:
82
+ Fn::Not:
83
+ - Fn::Equals:
84
+ - ''
85
+ - Ref: FileAssetsBucketName
86
+ CreateNewKey:
87
+ Fn::Equals:
88
+ - ''
89
+ - Ref: FileAssetsBucketKmsKeyId
90
+ UseAwsManagedKey:
91
+ Fn::Equals:
92
+ - 'AWS_MANAGED_KEY'
93
+ - Ref: FileAssetsBucketKmsKeyId
94
+ ShouldCreatePermissionsBoundary:
95
+ Fn::Equals:
96
+ - 'true'
97
+ - Ref: UseExamplePermissionsBoundary
98
+ PermissionsBoundarySet:
99
+ Fn::Not:
100
+ - Fn::Equals:
101
+ - ''
102
+ - Ref: InputPermissionsBoundary
103
+ HasCustomContainerAssetsRepositoryName:
104
+ Fn::Not:
105
+ - Fn::Equals:
106
+ - ''
107
+ - Ref: ContainerAssetsRepositoryName
108
+ UsePublicAccessBlockConfiguration:
109
+ Fn::Equals:
110
+ - 'true'
111
+ - Ref: PublicAccessBlockConfiguration
112
+ Resources:
113
+ FileAssetsBucketEncryptionKey:
114
+ Type: AWS::KMS::Key
115
+ Properties:
116
+ KeyPolicy:
117
+ Statement:
118
+ - Action:
119
+ - kms:Create*
120
+ - kms:Describe*
121
+ - kms:Enable*
122
+ - kms:List*
123
+ - kms:Put*
124
+ - kms:Update*
125
+ - kms:Revoke*
126
+ - kms:Disable*
127
+ - kms:Get*
128
+ - kms:Delete*
129
+ - kms:ScheduleKeyDeletion
130
+ - kms:CancelKeyDeletion
131
+ - kms:GenerateDataKey
132
+ - kms:TagResource
133
+ - kms:UntagResource
134
+ Effect: Allow
135
+ Principal:
136
+ AWS:
137
+ Ref: AWS::AccountId
138
+ Resource: "*"
139
+ - Action:
140
+ - kms:Decrypt
141
+ - kms:DescribeKey
142
+ - kms:Encrypt
143
+ - kms:ReEncrypt*
144
+ - kms:GenerateDataKey*
145
+ Effect: Allow
146
+ Principal:
147
+ # Not actually everyone -- see below for Conditions
148
+ AWS: "*"
149
+ Resource: "*"
150
+ Condition:
151
+ StringEquals:
152
+ # See https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-caller-account
153
+ kms:CallerAccount:
154
+ Ref: AWS::AccountId
155
+ kms:ViaService:
156
+ - Fn::Sub: s3.${AWS::Region}.amazonaws.com
157
+ - Action:
158
+ - kms:Decrypt
159
+ - kms:DescribeKey
160
+ - kms:Encrypt
161
+ - kms:ReEncrypt*
162
+ - kms:GenerateDataKey*
163
+ Effect: Allow
164
+ Principal:
165
+ AWS:
166
+ Fn::Sub: "${FilePublishingRole.Arn}"
167
+ Resource: "*"
168
+ Condition: CreateNewKey
169
+ FileAssetsBucketEncryptionKeyAlias:
170
+ Condition: CreateNewKey
171
+ Type: AWS::KMS::Alias
172
+ Properties:
173
+ AliasName:
174
+ Fn::Sub: "alias/cdk-${Qualifier}-assets-key"
175
+ TargetKeyId:
176
+ Ref: FileAssetsBucketEncryptionKey
177
+ StagingBucket:
178
+ Type: AWS::S3::Bucket
179
+ Properties:
180
+ BucketName:
181
+ Fn::If:
182
+ - HasCustomFileAssetsBucketName
183
+ - Fn::Sub: "${FileAssetsBucketName}"
184
+ - Fn::Sub: cdk-${Qualifier}-assets-${AWS::AccountId}-${AWS::Region}
185
+ AccessControl: Private
186
+ BucketEncryption:
187
+ ServerSideEncryptionConfiguration:
188
+ - ServerSideEncryptionByDefault:
189
+ SSEAlgorithm: aws:kms
190
+ KMSMasterKeyID:
191
+ Fn::If:
192
+ - CreateNewKey
193
+ - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
194
+ - Fn::If:
195
+ - UseAwsManagedKey
196
+ - Ref: AWS::NoValue
197
+ - Fn::Sub: "${FileAssetsBucketKmsKeyId}"
198
+ PublicAccessBlockConfiguration:
199
+ Fn::If:
200
+ - UsePublicAccessBlockConfiguration
201
+ - BlockPublicAcls: true
202
+ BlockPublicPolicy: true
203
+ IgnorePublicAcls: true
204
+ RestrictPublicBuckets: true
205
+ - Ref: AWS::NoValue
206
+ VersioningConfiguration:
207
+ Status: Enabled
208
+ LifecycleConfiguration:
209
+ Rules:
210
+ # Exising objects will never be overwritten but Security Hub wants this rule to exist
211
+ - Id: CleanupOldVersions
212
+ Status: Enabled
213
+ NoncurrentVersionExpiration:
214
+ NoncurrentDays: 365
215
+ UpdateReplacePolicy: Retain
216
+ DeletionPolicy: Retain
217
+ StagingBucketPolicy:
218
+ Type: 'AWS::S3::BucketPolicy'
219
+ Properties:
220
+ Bucket: { Ref: 'StagingBucket' }
221
+ PolicyDocument:
222
+ Id: 'AccessControl'
223
+ Version: '2012-10-17'
224
+ Statement:
225
+ - Sid: 'AllowSSLRequestsOnly'
226
+ Action: 's3:*'
227
+ Effect: 'Deny'
228
+ Resource:
229
+ - { 'Fn::Sub': '${StagingBucket.Arn}' }
230
+ - { 'Fn::Sub': '${StagingBucket.Arn}/*' }
231
+ Condition:
232
+ Bool: { 'aws:SecureTransport': 'false' }
233
+ Principal: '*'
234
+ ContainerAssetsRepository:
235
+ Type: AWS::ECR::Repository
236
+ Properties:
237
+ ImageTagMutability: IMMUTABLE
238
+ # Untagged images should never exist but Security Hub wants this rule to exist
239
+ LifecyclePolicy:
240
+ LifecyclePolicyText: |
241
+ {
242
+ "rules": [
243
+ {
244
+ "rulePriority": 1,
245
+ "description": "Untagged images should not exist, but expire any older than one year",
246
+ "selection": {
247
+ "tagStatus": "untagged",
248
+ "countType": "sinceImagePushed",
249
+ "countUnit": "days",
250
+ "countNumber": 365
251
+ },
252
+ "action": { "type": "expire" }
253
+ }
254
+ ]
255
+ }
256
+ RepositoryName:
257
+ Fn::If:
258
+ - HasCustomContainerAssetsRepositoryName
259
+ - Fn::Sub: "${ContainerAssetsRepositoryName}"
260
+ - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region}
261
+ RepositoryPolicyText:
262
+ Version: "2012-10-17"
263
+ Statement:
264
+ # Necessary for Lambda container images
265
+ # https://docs.aws.amazon.com/lambda/latest/dg/configuration-images.html#configuration-images-permissions
266
+ - Sid: LambdaECRImageRetrievalPolicy
267
+ Effect: Allow
268
+ Principal: { Service: "lambda.amazonaws.com" }
269
+ Action:
270
+ - ecr:BatchGetImage
271
+ - ecr:GetDownloadUrlForLayer
272
+ Condition:
273
+ StringLike:
274
+ "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*" }
275
+ FilePublishingRole:
276
+ Type: AWS::IAM::Role
277
+ Properties:
278
+ AssumeRolePolicyDocument:
279
+ Statement:
280
+ # The TagSession action is required to be able to assume this role with session tags.
281
+ # Without this trust policy, attemping to assume this role with session tags will fail.
282
+ - Action: sts:TagSession
283
+ Effect: Allow
284
+ Principal:
285
+ AWS:
286
+ Ref: AWS::AccountId
287
+ - Action: sts:AssumeRole
288
+ Effect: Allow
289
+ Principal:
290
+ AWS:
291
+ Ref: AWS::AccountId
292
+ - Fn::If:
293
+ - HasTrustedAccounts
294
+ - Action: sts:AssumeRole
295
+ Effect: Allow
296
+ Principal:
297
+ AWS:
298
+ Ref: TrustedAccounts
299
+ - Ref: AWS::NoValue
300
+ RoleName:
301
+ Fn::Sub: cdk-${Qualifier}-file-publishing-role-${AWS::AccountId}-${AWS::Region}
302
+ Tags:
303
+ - Key: aws-cdk:bootstrap-role
304
+ Value: file-publishing
305
+ ImagePublishingRole:
306
+ Type: AWS::IAM::Role
307
+ Properties:
308
+ AssumeRolePolicyDocument:
309
+ Statement:
310
+ # The TagSession action is required to be able to assume this role with session tags.
311
+ # Without this trust policy, attemping to assume this role with session tags will fail.
312
+ - Action: sts:TagSession
313
+ Effect: Allow
314
+ Principal:
315
+ AWS:
316
+ Ref: AWS::AccountId
317
+ - Action: sts:AssumeRole
318
+ Effect: Allow
319
+ Principal:
320
+ AWS:
321
+ Ref: AWS::AccountId
322
+ - Fn::If:
323
+ - HasTrustedAccounts
324
+ - Action: sts:AssumeRole
325
+ Effect: Allow
326
+ Principal:
327
+ AWS:
328
+ Ref: TrustedAccounts
329
+ - Ref: AWS::NoValue
330
+ RoleName:
331
+ Fn::Sub: cdk-${Qualifier}-image-publishing-role-${AWS::AccountId}-${AWS::Region}
332
+ Tags:
333
+ - Key: aws-cdk:bootstrap-role
334
+ Value: image-publishing
335
+ LookupRole:
336
+ Type: AWS::IAM::Role
337
+ Properties:
338
+ AssumeRolePolicyDocument:
339
+ Statement:
340
+ - Action: sts:AssumeRole
341
+ Effect: Allow
342
+ Principal:
343
+ AWS:
344
+ Ref: AWS::AccountId
345
+ # The TagSession action is required to be able to assume this role with session tags.
346
+ # Without this trust policy, attemping to assume this role with session tags will fail.
347
+ - Action: sts:TagSession
348
+ Effect: Allow
349
+ Principal:
350
+ AWS:
351
+ Ref: AWS::AccountId
352
+ - Fn::If:
353
+ - HasTrustedAccountsForLookup
354
+ - Action: sts:AssumeRole
355
+ Effect: Allow
356
+ Principal:
357
+ AWS:
358
+ Ref: TrustedAccountsForLookup
359
+ - Ref: AWS::NoValue
360
+ - Fn::If:
361
+ - HasTrustedAccounts
362
+ - Action: sts:AssumeRole
363
+ Effect: Allow
364
+ Principal:
365
+ AWS:
366
+ Ref: TrustedAccounts
367
+ - Ref: AWS::NoValue
368
+ RoleName:
369
+ Fn::Sub: cdk-${Qualifier}-lookup-role-${AWS::AccountId}-${AWS::Region}
370
+ ManagedPolicyArns:
371
+ - Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess"
372
+ Policies:
373
+ - PolicyDocument:
374
+ Statement:
375
+ - Sid: DontReadSecrets
376
+ Effect: Deny
377
+ Action:
378
+ - kms:Decrypt
379
+ Resource: "*"
380
+ Version: '2012-10-17'
381
+ PolicyName: LookupRolePolicy
382
+ Tags:
383
+ - Key: aws-cdk:bootstrap-role
384
+ Value: lookup
385
+ FilePublishingRoleDefaultPolicy:
386
+ Type: AWS::IAM::Policy
387
+ Properties:
388
+ PolicyDocument:
389
+ Statement:
390
+ - Action:
391
+ - s3:GetObject*
392
+ - s3:GetBucket*
393
+ - s3:GetEncryptionConfiguration
394
+ - s3:List*
395
+ - s3:DeleteObject*
396
+ - s3:PutObject*
397
+ - s3:Abort*
398
+ Resource:
399
+ - Fn::Sub: "${StagingBucket.Arn}"
400
+ - Fn::Sub: "${StagingBucket.Arn}/*"
401
+ Condition:
402
+ StringEquals:
403
+ aws:ResourceAccount:
404
+ - Fn::Sub: ${AWS::AccountId}
405
+ Effect: Allow
406
+ - Action:
407
+ - kms:Decrypt
408
+ - kms:DescribeKey
409
+ - kms:Encrypt
410
+ - kms:ReEncrypt*
411
+ - kms:GenerateDataKey*
412
+ Effect: Allow
413
+ Resource:
414
+ Fn::If:
415
+ - CreateNewKey
416
+ - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
417
+ - Fn::Sub: arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${FileAssetsBucketKmsKeyId}
418
+ Version: '2012-10-17'
419
+ Roles:
420
+ - Ref: FilePublishingRole
421
+ PolicyName:
422
+ Fn::Sub: cdk-${Qualifier}-file-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region}
423
+ ImagePublishingRoleDefaultPolicy:
424
+ Type: AWS::IAM::Policy
425
+ Properties:
426
+ PolicyDocument:
427
+ Statement:
428
+ - Action:
429
+ - ecr:PutImage
430
+ - ecr:InitiateLayerUpload
431
+ - ecr:UploadLayerPart
432
+ - ecr:CompleteLayerUpload
433
+ - ecr:BatchCheckLayerAvailability
434
+ - ecr:DescribeRepositories
435
+ - ecr:DescribeImages
436
+ - ecr:BatchGetImage
437
+ - ecr:GetDownloadUrlForLayer
438
+ Resource:
439
+ Fn::Sub: "${ContainerAssetsRepository.Arn}"
440
+ Effect: Allow
441
+ - Action:
442
+ - ecr:GetAuthorizationToken
443
+ Resource: "*"
444
+ Effect: Allow
445
+ Version: '2012-10-17'
446
+ Roles:
447
+ - Ref: ImagePublishingRole
448
+ PolicyName:
449
+ Fn::Sub: cdk-${Qualifier}-image-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region}
450
+ DeploymentActionRole:
451
+ Type: AWS::IAM::Role
452
+ Properties:
453
+ AssumeRolePolicyDocument:
454
+ Statement:
455
+ - Action: sts:AssumeRole
456
+ Effect: Allow
457
+ Principal:
458
+ AWS:
459
+ Ref: AWS::AccountId
460
+ # The TagSession action is required to be able to assume this role with session tags.
461
+ # Without this trust policy, attemping to assume this role with session tags will fail.
462
+ - Action: sts:TagSession
463
+ Effect: Allow
464
+ Principal:
465
+ AWS:
466
+ Ref: AWS::AccountId
467
+ - Fn::If:
468
+ - HasTrustedAccounts
469
+ - Action: sts:AssumeRole
470
+ Effect: Allow
471
+ Principal:
472
+ AWS:
473
+ Ref: TrustedAccounts
474
+ - Ref: AWS::NoValue
475
+ Policies:
476
+ - PolicyDocument:
477
+ Statement:
478
+ - Sid: CloudFormationPermissions
479
+ Effect: Allow
480
+ Action:
481
+ - cloudformation:CreateChangeSet
482
+ - cloudformation:DeleteChangeSet
483
+ - cloudformation:DescribeChangeSet
484
+ - cloudformation:DescribeStacks
485
+ - cloudformation:ExecuteChangeSet
486
+ - cloudformation:CreateStack
487
+ - cloudformation:UpdateStack
488
+ Resource: "*"
489
+ - Sid: PipelineCrossAccountArtifactsBucket
490
+ # Read/write buckets in different accounts. Permissions to buckets in
491
+ # same account are granted by bucket policies.
492
+ #
493
+ # Write permissions necessary to write outputs to the cross-region artifact replication bucket
494
+ # https://aws.amazon.com/premiumsupport/knowledge-center/codepipeline-deploy-cloudformation/.
495
+ Effect: Allow
496
+ Action:
497
+ - s3:GetObject*
498
+ - s3:GetBucket*
499
+ - s3:List*
500
+ - s3:Abort*
501
+ - s3:DeleteObject*
502
+ - s3:PutObject*
503
+ Resource: "*"
504
+ Condition:
505
+ StringNotEquals:
506
+ s3:ResourceAccount:
507
+ Ref: 'AWS::AccountId'
508
+ - Sid: PipelineCrossAccountArtifactsKey
509
+ # Use keys only for the purposes of reading encrypted files from S3.
510
+ Effect: Allow
511
+ Action:
512
+ - kms:Decrypt
513
+ - kms:DescribeKey
514
+ - kms:Encrypt
515
+ - kms:ReEncrypt*
516
+ - kms:GenerateDataKey*
517
+ Resource: "*"
518
+ Condition:
519
+ StringEquals:
520
+ kms:ViaService:
521
+ Fn::Sub: s3.${AWS::Region}.amazonaws.com
522
+ - Action: iam:PassRole
523
+ Resource:
524
+ Fn::Sub: "${CloudFormationExecutionRole.Arn}"
525
+ Effect: Allow
526
+ # Permissions to allow the Deploy Role to perform SQS Actions.
527
+ # Users of this bootstrap template intend to uses the Deploy Role
528
+ # instead of the CFN ExecutionRole, so the deploy role needs permissions
529
+ # to perform CFN actions; in this simple case, we only permit SQS Actions.
530
+ - Sid: SQSPermissions
531
+ Action: sqs:*
532
+ Resource: "*"
533
+ Effect: Allow
534
+ # This condition requires that the Deploy Role is assumed with the session tags
535
+ # 'Department: Engineering'; if these tags are not passed in, the DeployRole will
536
+ # not be able to perform SQS actions.
537
+ Condition:
538
+ StringEquals:
539
+ aws:PrincipalTag/Department: "Engineering"
540
+ - Sid: CliPermissions
541
+ Action:
542
+ # Permissions needed by the CLI when doing `cdk deploy`.
543
+ # Our CI/CD does not need DeleteStack,
544
+ # but we also want to use this role from the CLI,
545
+ # and there you can call `cdk destroy`
546
+ - cloudformation:DescribeStackEvents
547
+ - cloudformation:GetTemplate
548
+ - cloudformation:DeleteStack
549
+ - cloudformation:UpdateTerminationProtection
550
+ - sts:GetCallerIdentity
551
+ # `cdk import`
552
+ - cloudformation:GetTemplateSummary
553
+ Resource: "*"
554
+ Effect: Allow
555
+ - Sid: CliStagingBucket
556
+ Effect: Allow
557
+ Action:
558
+ - s3:GetObject*
559
+ - s3:GetBucket*
560
+ - s3:List*
561
+ Resource:
562
+ - Fn::Sub: ${StagingBucket.Arn}
563
+ - Fn::Sub: ${StagingBucket.Arn}/*
564
+ - Sid: ReadVersion
565
+ Effect: Allow
566
+ Action:
567
+ - ssm:GetParameter
568
+ - ssm:GetParameters # CreateChangeSet uses this to evaluate any SSM parameters (like `CdkBootstrapVersion`)
569
+ Resource:
570
+ - Fn::Sub: "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${CdkBootstrapVersion}"
571
+ Version: '2012-10-17'
572
+ PolicyName: default
573
+ RoleName:
574
+ Fn::Sub: cdk-${Qualifier}-deploy-role-${AWS::AccountId}-${AWS::Region}
575
+ Tags:
576
+ - Key: aws-cdk:bootstrap-role
577
+ Value: deploy
578
+ CloudFormationExecutionRole:
579
+ Type: AWS::IAM::Role
580
+ Properties:
581
+ AssumeRolePolicyDocument:
582
+ Statement:
583
+ - Action: sts:AssumeRole
584
+ Effect: Allow
585
+ Principal:
586
+ Service: cloudformation.amazonaws.com
587
+ Version: '2012-10-17'
588
+ ManagedPolicyArns:
589
+ Fn::If:
590
+ - HasCloudFormationExecutionPolicies
591
+ - Ref: CloudFormationExecutionPolicies
592
+ - Fn::If:
593
+ - HasTrustedAccounts
594
+ # The CLI will prevent this case from occurring
595
+ - Ref: AWS::NoValue
596
+ # The CLI will advertise that we picked this implicitly
597
+ - - Fn::Sub: "arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess"
598
+ RoleName:
599
+ Fn::Sub: cdk-${Qualifier}-cfn-exec-role-${AWS::AccountId}-${AWS::Region}
600
+ PermissionsBoundary:
601
+ Fn::If:
602
+ - PermissionsBoundarySet
603
+ - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
604
+ - Ref: AWS::NoValue
605
+ CdkBoostrapPermissionsBoundaryPolicy:
606
+ # Edit the template prior to boostrap in order to have this example policy created
607
+ Condition: ShouldCreatePermissionsBoundary
608
+ Type: AWS::IAM::ManagedPolicy
609
+ Properties:
610
+ PolicyDocument:
611
+ Statement:
612
+ # If permission boundaries do not have an explicit `allow`, then the effect is `deny`
613
+ - Sid: ExplicitAllowAll
614
+ Action:
615
+ - "*"
616
+ Effect: Allow
617
+ Resource: "*"
618
+ # Default permissions to prevent privilege escalation
619
+ - Sid: DenyAccessIfRequiredPermBoundaryIsNotBeingApplied
620
+ Action:
621
+ - iam:CreateUser
622
+ - iam:CreateRole
623
+ - iam:PutRolePermissionsBoundary
624
+ - iam:PutUserPermissionsBoundary
625
+ Condition:
626
+ StringNotEquals:
627
+ iam:PermissionsBoundary:
628
+ Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-permissions-boundary-${AWS::AccountId}-${AWS::Region}
629
+ Effect: Deny
630
+ Resource: "*"
631
+ # Forbid the policy itself being edited
632
+ - Sid: DenyPermBoundaryIAMPolicyAlteration
633
+ Action:
634
+ - iam:CreatePolicyVersion
635
+ - iam:DeletePolicy
636
+ - iam:DeletePolicyVersion
637
+ - iam:SetDefaultPolicyVersion
638
+ Effect: Deny
639
+ Resource:
640
+ Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-permissions-boundary-${AWS::AccountId}-${AWS::Region}
641
+ # Forbid removing the permissions boundary from any user or role that has it associated
642
+ - Sid: DenyRemovalOfPermBoundaryFromAnyUserOrRole
643
+ Action:
644
+ - iam:DeleteUserPermissionsBoundary
645
+ - iam:DeleteRolePermissionsBoundary
646
+ Effect: Deny
647
+ Resource: "*"
648
+ # Add your specific organizational security policy here
649
+ # Uncomment the example to deny access to AWS Config
650
+ #- Sid: OrganizationalSecurityPolicy
651
+ # Action:
652
+ # - "config:*"
653
+ # Effect: Deny
654
+ # Resource: "*"
655
+ Version: "2012-10-17"
656
+ Description: "Bootstrap Permission Boundary"
657
+ ManagedPolicyName:
658
+ Fn::Sub: cdk-${Qualifier}-permissions-boundary-${AWS::AccountId}-${AWS::Region}
659
+ Path: /
660
+ # The SSM parameter is used in pipeline-deployed templates to verify the version
661
+ # of the bootstrap resources.
662
+ CdkBootstrapVersion:
663
+ Type: AWS::SSM::Parameter
664
+ Properties:
665
+ Type: String
666
+ Name:
667
+ Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
668
+ Value: '22'
669
+ Outputs:
670
+ BucketName:
671
+ Description: The name of the S3 bucket owned by the CDK toolkit stack
672
+ Value:
673
+ Fn::Sub: "${StagingBucket}"
674
+ BucketDomainName:
675
+ Description: The domain name of the S3 bucket owned by the CDK toolkit stack
676
+ Value:
677
+ Fn::Sub: "${StagingBucket.RegionalDomainName}"
678
+ # @deprecated - This Export can be removed at some future point in time.
679
+ # We can't do it today because if there are stacks that use it, the bootstrap
680
+ # stack cannot be updated. Not used anymore by apps >= 1.60.0
681
+ FileAssetKeyArn:
682
+ Description: The ARN of the KMS key used to encrypt the asset bucket (deprecated)
683
+ Value:
684
+ Fn::If:
685
+ - CreateNewKey
686
+ - Fn::Sub: "${FileAssetsBucketEncryptionKey.Arn}"
687
+ - Fn::Sub: "${FileAssetsBucketKmsKeyId}"
688
+ Export:
689
+ Name:
690
+ Fn::Sub: CdkBootstrap-${Qualifier}-FileAssetKeyArn
691
+ ImageRepositoryName:
692
+ Description: The name of the ECR repository which hosts docker image assets
693
+ Value:
694
+ Fn::Sub: "${ContainerAssetsRepository}"
695
+ # The Output is used by the CLI to verify the version of the bootstrap resources.
696
+ BootstrapVersion:
697
+ Description: The version of the bootstrap resources that are currently mastered
698
+ in this stack
699
+ Value:
700
+ Fn::GetAtt: [CdkBootstrapVersion, Value]